Summary

Acunetix 360 detected a missing validation of the jku parameter in a JSON Web Token's header. This allows for the forgery of valid JSON Web Tokens with arbitrary payloads.

Impact

Attackers might be able to tamper with the values inside the JWT token payload and escalate privileges, impersonate users or trigger unintended application states that were meant to be prevented by the use of a tamper-proof token solution. Additionally they may be able to trigger a blind SSRF attack.

Remediation

In order to fix this vulnerability,  you need to implement a whitelist of URLs that are allowed to host a JWK file, specified in the jku header parameter. To make sure it is resilient to validation bypasses, please make sure to validate the full URL and path and disable HTTP redirection for the HTTP library responsible for the token retrieval.

Severity

High

Classification

CWE-639 OWASP 2017-A1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N